FBI May Be Hoarding a Firefox Zero-Day (softpedia.com) 99
An anonymous reader writes: Vice reported at the end of March that the FBI and the U.S. Department of Justice are fighting tooth and nail to keep a Tor Browser exploit hidden from the public eye. Computer experts were quick to point out that this Tor Browser exploit, technically speaking, is a Firefox exploit, since Tor's browser is based on Firefox's ESR platform. Taking into account that Firefox follows open-source philosophy and reveals all security flaws reported, the effort which the FBI puts into restricting access to its exploit leads to only one conclusion, and that is that the FBI is hoarding a Firefox zero-day, currently unpatched in the browser's core -- something it hopes to use once again.
well, how many does the FBI have? (Score:5, Insightful)
Re: (Score:1)
hoarders don't just have ONE.
came here to post basically this sentiment, you beat me to it; I was gonna say I'd wager they have at least two.
Re: (Score:1)
I came to post that there are countless unpatched negative-day holes... and upon seeing that someone else already had, I was going to post that I was going to post that, but upon seeing that you have posted that you were going to post that, I have instead posted this.
Re:well, how many does the FBI have? (Score:4, Interesting)
I would wager the stupid burns because they would need to believe that they are the only group hoarding those zero day faults or that their knowledge has not leaked or sold. That is the real problem with hoarding zero day flaws, the kind of stupid ego that pre-posits they are the only people who are smart enough to find it and all the other espionage groups are just script kiddies. In reality hoarders will find that those they are meant to be protecting end up being attacked by others and as they watch it unfold, they just sit them, thumb in bum, mind in neutral as they desperately try to pretend they had nothing to do with that attack or those victims.
This has been covered before, can never use a zero day flaw because once it is detected it is gone (so major effort little to no reward), hoard a zero day flaw only to see someone else use it whilst you are still hoarding it (those victims, your fault and you are now an accessory before the fact and guilty of criminal negligence), hoard a zero day only to find others had already found it and are working on a fix and that fix is implemented before you can claim credit and earn kudos for you efforts (major effort expended and no respect gained for your agency or the support from the public that the gained respect would earn) and of course get busted hoarding an exploit and expect resounding condemnation from every one and a desire to by the public to expose the dick heads involved and a desire to see them prosecuted for criminal negligence because they have a duty of care and a duty of law to protect the public from harm.
Re:well, how many does the FBI have? (Score:4, Interesting)
Re: (Score:2)
You try building something as complex as a modern web browser, and snap your fingers and make it secure. If it's that easy.
It's a matter of priorities. If they spent more time clearing out their bug list, and less time building new features that no one wants (like pocket, or weird UI changes), the browser would be much more secure. In fact, if I were in charge at Mozilla, that would be the first thing I would do: allocate several months to fixing the most serious bugs, and then allocate enough time each month thereafter that bug count is reduced each month, instead of going up.
Re: (Score:2)
Re: (Score:2)
It's not just firefox - browsers in general have a poor history of security, because they have grown over the years from simple page-rendering engines to instruments of almost unmanageable complexity. The more complex the program, the more flaws it will contain. This is why Lynx so rarely has security issues - because it doesn't actually do very much.
Re: (Score:2)
Re: (Score:3, Interesting)
NSA just buys them all the time on the black market. [theatlantic.com]
FBI could do the same, it wouldn't even be that expensive.
Protip: All malware writers are hoarding exploits -- and even selling them on the blackhat market.
Re: well, how many does the FBI have? (Score:1)
That was the old days, now they just pay developers to submit underhanded code in new builds.
Re:well, how many does the FBI have? (Score:4, Interesting)
Why bother?
Consider Pwn2Own removed Firefox from a contenders list for being "too easy" [slashdot.org] I hope the FBI didn't pay more than a few bucks for the one. I'm sure if they paid a few more bucks they could've had 10, 100, 1000 or more.
Heck, there's tons of bugs that are reported and haven't been fixed at all...
Re: (Score:1)
That headline is a half-truth. It doesn't mean that Firefox has a lot of holes.
As explained in the comments, they chose to remove it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.
Reasonable solution (Score:1)
Re: (Score:1)
It feels like we're coming to a head here with regards to the government and technology.
At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.
If we (the tech community) don't come up with a solution, at some point an inferior one might be forced on us. Imagine a
Re: Reasonable solution (Score:3, Insightful)
With the known government lack of security how can it be? Online banking would have to vanish overnight.
Re:Reasonable solution (Score:4, Funny)
---edit for formatting--- *why doesn't slashdot have a WYSIWYG editor yet? grumble, grumble*
Oh you dreamer...we can't even edit our own posts, a WYSIWYG editor is so far beyond that capability that you may as well wish for your own Martian Moonbase stocked with 19-year old nymphomaniacs with a Beer Generator powered by perpetual motion.
Re: (Score:2)
A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.
Re: (Score:2)
A WYSIWYG editor is potentially desirable, and could be got from someone else. Post-editing is not desirable, except by people who can't let their mistakes go because their asshole is so tight that it can make diamonds. Learn to use preview, no problem.
That's just like, your opinion, man. Try this on for size:
"A WYSIWYG editor is only desirable by weenies who want to use emoticons and who are at their core, attention whores. Post-editing is desirable, except by people who NEVER make mistakes and who think their shit don't stink. Someday you'll grow up and be able to understand other people's viewpoints, and then it will be no problem."
See how easy it is to dismiss what other people want, while retaining your own gun-slit view of the world?
Virtually every
Re: (Score:2)
Virtually every message board and forum in existence allows post editing, often within a short grace period to prevent abuse.
Yes, and that is often stupid. It's good for forums where people are providing information. It's bad for forums where people are arguing. Slashdot is all about arguing, and therefore it would be bad here.
If you're that anal about being made to look like a fool by someone fixing a typo or changing the content of their post, perhaps you're a little too tightly-wound for healthy participation in a discussion forum.
This isn't about my asshole, this is about your lack of competence.
Re: (Score:2)
Slashdot is all about arguing, and therefore it would be bad here.
It's a shame that you view slashdot this way (just another way for you to vent your spleen), but I think that says a lot more about you than it does about slashdot.
-
This isn't about my asshole, this is about your lack of competence.
No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard, and with any luck you'll learn about that in High School.
Re: (Score:2)
No, it's about you being an asshole, and your inability to understand that different people want different things. Your opinion isn't the gold standard,
Ah, irony. You're being precisely the kind of asshole you're accusing me of being. This has been argued out over and over again here on Slashdot, and I'm doing you the courtesy of revisiting those dumber times to explain to you why you're wrong. It's not just my idea. It is, in fact, the will of the people.
Re: (Score:2)
It's not just my idea. It is, in fact, the will of the people.
Actually, quite a few people* have expressed a desire for post editing, but as long as you're speaking for the will of the people I guess we'll all just fall in line, Herr Drinkypoo.
-
*Indeed, Whipslash had mentioned at one point that "it was coming", so maybe your the will of the people isn't all it's cracked up to be.
Re: (Score:1)
We're reaching a point (especially with the new anti-encryption bill that's been reduced) that I'm more worried of a significant (nuclear) terrorist threat that IS POSSIBLE because the government could access X or Y. Government backdoors won't stay government only for long. Because if we cave to allow the US government a backdoor, Japan might request a backdoor in too. And England. And Germany. And countless others. At that point everything that ever was encrypted just becomes swiss cheese.
Re: (Score:2)
with a warrant, is this so unreasonable?
Yes...
A search warrant is not a find warrant. (Score:5, Insightful)
It feels like we're coming to a head here with regards to the government and technology. At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.
This statement seems to be based on a common misinterpretation of what a warrant is. Search warrants allow the police to search for things, but they do not necessarily guarantee that they will find what they're looking for, and most importantly, the existence of warrants does NOT incur an obligation on the public to live their day-to-day lives in such a way that future searches (with warrants) will be successful. Requiring computer users to use weakened or backdoored software for the simple reason that a warrant might be issued at some future time turns the Fourth Amendment to the Constitution entirely on its head
Re: (Score:3)
You're deliberately misstating what he said. What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.
But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?
Re: (Score:1)
But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?
You asked what a reasonable level of security is and society is trying to figure that out right now—both with regard to device encryption and mass collection of what was once thought of as trivial and non-private data..
Society can never be absolutely secure, but (going back to your original statement regarding warrants) the fact that search warrants can be issued on relatively meager evidence shows that the right to privacy was never seen as absolute either.
Re: (Score:2)
What he said is that as long as companies continue to create devices designed to defeat LEO, we're setting ourselves up to lose horribly. It's much better to design a legal system that allows both devices and society a reasonable level of security.
But this very statement seems to suggest a belief that in order for a society to be secure, the devices can't be. What is a "reasonable level of security" for a device? The maximum technology allows, or something else?
No, you are missing the point completely. You can't fix this problem technically. Setting people up to defeat law enforcement is bad. But it's a situation created by setting law enforcement up to defeat people. We have a nation of shit laws. It's no wonder that people do their best to get around them. If we fix the law, we'll have less offenders. Now, quick quiz, what percentage of the people in prison are nonviolent offenders?
Re: (Score:2)
Or another question worth asking: What percentage of the population can get through a typical week without committing a crime?
When the law reaches a level of complexity such that it's impossible not to break it, and we're relying on police to make the call of which crimes are worth the cost of investigating and prosecuting, it's not surprising that many people lose all respect for the law and come to regard law enforcement not as their protectors, but as a potential threat.
Re:A search warrant is not a find warrant. (Score:4, Informative)
They're not being designed "to defeat LEO". They're being designed to be as secure as possible against anyone who may wish to take the data on the device without the owner's permission. The fact that it becomes more difficult for law enforcement to get to the data is merely incidental, and I have very little sympathy for their problems in light of the fact that it's becoming more and more likely for innocent people to suffer loss of life or property at the hands of the government than from terrorists, child molesters, or whoever the public enemy du jour is.
Re:we want to advertise to criminals (Score:1)
...because we want to advertise our system to criminals...
I don't think this is Apple's intention.
It's not the criminals that sent a message that they don't want government to snoop in all their communications at will, but ordinary users like... me, and others.
Apple doesn't want to loose its market share because of the common knowledge that their devices are open to any government that likes to have a look (of course they are, but they like to pretend they're not) and so they are opposing government intrusion at this level. On a higher level of course they will
Re: (Score:2)
as long as companies continue to create devices designed to defeat LEO
There's not an important difference between a phone and a safe. You can buy a safe that the government would find nigh impossible to extract paper documents from (because paper burns, and will if enough energy is directed into the safe). The only difference is cost.
Re: (Score:1)
Fair, but then how do you deal with the externalized costs of the uninsured? We're far past letting people die without at least some semblance of care, so now who pays?
If you increase taxes and have the government pay, you get howls of socialized medicine and perverse incentives to move most people to being uninsured. If you force business to absorb the cost, you have increased costs for private parties.
I'm not a fan of the Affordable Care Act, but thus far I haven't heard of any good alternatives.
Re: (Score:1)
then what is stopping them from forcing everyone to (fill in the blank)?
The voters. If they don't do it, nobody will
Re: (Score:2)
"Hefty penalty"? It's either a 1% tax rate increase or $95. Whine much?
Re: (Score:2)
A new way of encrypting things that has a third key? Sure, but why not wish for world peace and a Star Trek style warp drive while you're at it?
Things that don't currently exist aren't a reasonable solution, either. No matter how often Congress demands them.
Re: (Score:3)
I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?
It's a bit like asking if you want digital cameras that won't produce kiddie porn. While you might score brownie points with the technically clueless, no engineer will think that's a sane idea.
a) Stealing the decryption key is a huge goldmine
b) There's more than one government with conflicting interests
c) There's open source and you can encrypt more than once
d) Nobody will know if you've tampered with it until they try
All of these means you're asking for magic. Say you want Apple to hold the device keys for
Re:Reasonable solution (Score:4, Insightful)
Re: (Score:2)
It can be difficult to sell, especially to export. Encryption has long been treated as a munition, a material of war.
Re: (Score:3)
Yes, it is unreasonable. First of all it's unconstitutional, second of all you can not 'solve' the problem without also giving access to pretty much every other entity in the world.
Re: (Score:2)
At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data.
and
I know the anti-government types will shy away from this, but, with a warrant, is this so unreasonable?
Well, let's examine some history here and see if it is unreasonable or not.
Of all the terrorist attacks on US soil, encryption was only involved in one, and once decrypted had no data within at all.
Of all terrorist attacks on US soil, the FBI already knew about the planned attacks weeks to many months in advance. They knew who would be performing the attack, where they would be attacking, and when the attack would take place.
Yet even with knowing most of the details of the attacks ahead of time, they st
Re: (Score:3)
At some point, we will have to find a reasonable solution to the problem of something which is strong enough for us, but in some way allows the government (with an appropriate warrant) to access data
The solution is here: Apple can no longer decrypt random iphones. That's it. There are bills that have been written to change that, but none are expected to even show up on the floor of the house of congress or the senate.
Re: (Score:1)
none are expected to even show up on the floor of the house of congress or the senate.
Certainly not before the election.
Re: (Score:2)
Re: (Score:3)
So surrender because we might be defeated? I don't think so. We can win this issue because Google + Apple + Microsoft + many others will join the EFF and all our traditional allies in lobbying against any backdoor proposal. Who will lobby on the other side? Law enforcement? Our allies have both deeper pockets and by far the better policy argument.
Re: (Score:1)
It will be the law abiding civilians that will be under full government surveillance, and the criminals will just add a layer of strong encryption with their own key sets.
More than 90% (this was a guesstimate) of gun crimes are carried out with unregistered guns. Same story.
Re: (Score:1)
Government should protect its citizens. It would be ideal if the people we appoint and pay to solutions us, worked hard to find the best encryption to protect secure our digital assets. Instead, the officials work to weaken us so they can claim more reason to protect us. Every citizens should be armed with strong computing environments possible to protect us from digital attacks from those who want to do us harm (everyone else).
I hope nothing happens to our country. But when a country is invaded, the first
That's not proven (Score:2)
Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.
Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.
Until there's evidence to suppor
Re: (Score:1)
Nor is it proven that the problem is within Firefox...it could as well be in the Tor modifications to Firefox...if, indeed, there is such a problem at all.
Wild speculation, whether here at /., or at Motherboard, is absent evidence. If I were an agent of the FBI and I DIDN'T know ANYTHING about some putative "back door" into Tor, I'd claim I did, to scare the #$&*%^ out of people who DO use Tor. They can, apparently, legally do that with impunity as officers for the law.
Until there's evidence to support this idle speculation, it is bunkum.
According to the linked article, that is exactly what the defense attorney is after: proof. Society can not allow a prosecutor to claim, in court, that a 'magical black box' tells them the defendant is guilty.
Re: (Score:2)
It doesn't need to be a security hole. It just needs to be some way, any way, to make Firefox connect without using the Tor proxy. All it takes is one obscure call in javascript somewhere that ignores the proxy settings.
Hyperbole much? (Score:1)
>Since the US DoJ is mounting an all-out assault to keep the Tor Browser exploit out of the public eye, common sense dictates that this is a previously unknown issue, otherwise, why bother.
Must every story on Slashdot about data security, privacy and the law be linked to articles that are so fucking hysterical in tone, so lacking in facts but so plentiful in speculation, and written so amateurishly (read: like a blog)?
I think I found an FBI safe house. (Score:2)
Re: (Score:1)
Re: (Score:1)
I'm disappointed in you guys. Neither of those links led to a goatse.
Re: (Score:3, Funny)
Do You know what is wrong in the world? What's the color of the panties of the president of Germany? If You use exploits to know that, that's a crime.
(I know this isn't funny, but that's the difference between European women and Amerian woman - American men doesn't respect American women like European men respect European woman, because Angry Bird (yes, that's was her MSN nick once) would just punch the guy who disrespects her. An women CAN be president, making things better to woman (what a hell am I talking about???) but rich men - basicaly the patriarc stereotypes, like the that enemy of Deadpool, Pope Francis - will not play by her rules... So, what are You gong to do? HUH? You're so much of a cunt, that You have a pregnant pussy full of pussies inside your pussy. Meh.
dude your brain has a buffer overflow
What is the FBI's mission? (Score:3)
According to their website [fbi.gov]
The National Security Branch carries out the FBI’s responsibilities as the lead intelligence and law enforcement agency in the nation to detect, deter, and disrupt national security threats to the United States and its interests. Our goal is to collect, analyze, and share intelligence to develop a comprehensive understanding of—and to defeat—national security threats directed against the United States while preserving civil liberties.
We continue to refine our intelligence capabilities to position ourselves to stay ahead of the evolving threats our nation faces. Intelligence directs how we understand threats, how we prioritize and investigate these threats, and how we target our resources to address them.
To ensure success, we continue to integrate our intelligence and law enforcement capabilities in every operational program. The traditional distinction between national security and criminal matters is increasingly blurred as terrorists commit crimes to finance their activities and computer hackers create vulnerabilities that can be exploited. The integration of intelligence and investigations makes the FBI uniquely situated to address these threats and vulnerabilities across programs. The FBI draws on both intelligence and law enforcement tools to determine strategically where and when to disrupt threats.
Is it just me or does a reasonable reading of this statement imply that a big part of the FBI's mission is to help eliminate vulnerabilities in software used by American citizens and companies? Is there an interpretation in which they are credibly following their own mission statement?
Re: (Score:1)
Is there an interpretation in which they are credibly following their own mission statement?
An incredible one?
Re: (Score:1)
The prime driving force in any organization is to continue it's own existence.
Allowing crime to happen such that there is someone to prosecute is necessary for the continuation of FBI's budget. They have more incentive to not defend than to do what is best for the people they serve.
I tend to agree with the FBI on this one (Score:2)
But let me point out the remotest possibility that the IP address tracked down wouldn't necessarily prove a particular person was involved.
Theoretically the best way for person to hide would be to hide behind and implicate another person. (Seriously watch more Columbo.) You would have to show that a computer wasn't infected in such a way as to secretly relay traffic. One would have to assume the software was designed to erase itself if discovered.
But I have to make the point. Getting an IP address is only t
Well since Firefox is too easy to pwn? (pwn2own) (Score:2)
the tor project should shy away from Firefox (ESR)?
https://it.slashdot.org/story/... [slashdot.org]
http://www.eweek.com/security/... [eweek.com]
Re: (Score:1)
As I posted elsewhere, that headline is a half-truth. It doesn't mean that Firefox has a lot of holes.
They 'disqualified' it because Mozilla had not recently implemented new features intended to bolster security, while the other browsers had done so in the same timeframe.
Whether those security features actually harden the browser, make it more difficult to exploit, is a different question.
HotJava (Score:2)
And people wonder why I run the HotJava program as my main browser...;-)
Since 2014 at least, used in Colorado. (Score:1)
Malicious code can be injected at
Should work two ways... (Score:1)